Sie befinden sich hier: start » en » Internal Documentation » WvdS Crypto Library » 6. Scenarios » 3. Issue Certificates

3. Issue Certificates

Scenarios: 5
FFI Functions: ~35
Status: Planned

This category covers all scenarios for issuing end-entity certificates. Server, client, code-signing, and S/MIME certificates with Post-Quantum algorithms.

Scenarios

ID Scenario Description Complexity Status
3.1 Server Certificate Issue TLS/HTTPS server certificate * | Planned | | 3.2 | Client Certificate | mTLS client authentication | * Planned
3.3 Code-Signing Certificate Software signing * | Planned | | 3.4 | S/MIME Certificate | Email encryption and signing | * Planned
3.5 Wildcard Certificate *.domain.com certificates Planned

Certificate Types

flowchart TB CA[Intermediate CA] --> |issues| SRV[Server Certificate] CA --> |issues| CLI[Client Certificate] CA --> |issues| CS[Code-Signing] CA --> |issues| SM[S/MIME] SRV --> |used for| TLS[TLS/HTTPS] CLI --> |used for| MTLS[mTLS Auth] CS --> |used for| SIGN[Software Signature] SM --> |used for| MAIL[Email Security] style CA fill:#e8f5e9 style SRV fill:#e3f2fd style CLI fill:#fff3e0 style CS fill:#fce4ec style SM fill:#f3e5f5

Key Usage per Certificate Type

Type Key Usage Extended Key Usage Validity
Server digitalSignature, keyEncipherment serverAuth 1-2 years
Client digitalSignature clientAuth 1-2 years
Code-Signing digitalSignature codeSigning 2-3 years
S/MIME digitalSignature, keyEncipherment emailProtection 1-2 years

Industry-Specific Requirements

Industry Certificate Type Specifics
Energy/SCADA Server Long validity (5+ years), offline validation
Healthcare Client gematik OIDs, eGK compatibility
Automotive Server + Client V2X-specific extensions
Industry 4.0 Server OPC UA compatible, IEC 62443

Quick Start Code

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
// Load CSR
var csr = ctx.LoadCertificateRequest("server.csr.pem");
 
// Sign with Intermediate CA
using var serverCert = ctx.IssueCertificate(
    csr,
    issuerCert: intermediateCaCert,
    issuerKey: intermediateCaKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(csr.PublicKey)
        .AuthorityKeyIdentifier(intermediateCaCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);
 
serverCert.ToPemFile("server.crt.pem");

Complete example: Scenario 3.1

Category Relationship
2. CSR CSR as input
4. Manage Certificates Manage issued certificates
10. TLS/mTLS Deploy server certificates

« <- 2. CSR | ^ Scenarios | 4. Manage Certificates -> »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , , ,
Zuletzt geändert: on 2026/01/30 at 12:36 AM

Seiten-Werkzeuge